3 Post-Installation Tasks and Information

At the end of a successful installation, the OID Monitor, oidmon, and an instance of the Directory Server, oidldapd, are running.

Notes:

You can run multiple instances of the directory server is on the same computer. For example, you can run one instance in SSL mode and another in non-SSL mode.
If you restart the computer, you can restart Oracle Application Server Infrastructure by following the steps described in the section "Starting OracleAS Infrastructure" in Oracle Application Server Administrator's Guide.
The Oracle Internet Directory servers—that is, the directory server, the directory replication server, and the directory integration and provisioning server daemons—can be started only by the operating system user who installed the Oracle Internet Directory software.

Before configuring and using Oracle Internet Directory, you must perform the tasks described in this chapter. This chapter also lists the locations of the log files of the various Oracle Internet Directory components.

This section contains these topics:

Task 1: Reset the Default Security Configuration
Task 2: Reset the Default Password for the Database
Task 3: Run the OID Database Statistics Collection Tool
Tasks to Perform After Upgrading from Release 9.0.2
Determining LDAP Port Assignment on UNIX and Linux
Log File Locations

3.1 Task 1: Reset the Default Security Configuration

To meet the needs of your environment, you must customize the default security configuration. Table 3-1 lists and describes the tasks you must perform to do this.

Table 3-1 Tasks to Reset the Default Security Configuration

Task Area	Description
Protect the `subSchemaSubEntry` subentry and its children	Information about the directory is contained in the subentry `subSchemaSubEntry` and its children. Oracle recommends that you control access to these objects.
Establish access to entries	When you load directory entries, you are creating a hierarchy of directory entries. You must therefore establish: Permissions to load entries into this hierarchy Directory access for clients that need read, modify, and write access to directory entries
Modify default access policies	Oracle Internet Directory is installed with a default security configuration described in Chapter 17, "Delegation of Privileges for an Oracle Technology Deployment". Before you begin using the directory, you can modify this default configuration to meet the needs of your environment and ensure that each user has the appropriate authorization.
Modify the default password policy	Password polices are sets of rules that govern how passwords are used. Oracle Internet Directory is installed with a default password policy that you can modify to meet the needs of your environment.
Modify the password of the super user	The super user has full access to directory information. The default user name of the super user is `orcladmin`; the default password is the Oracle Application Server Administrator password that was specified during installation. Modify this password immediately after installation.

3.2 Task 2: Reset the Default Password for the Database

Oracle Internet Directory uses a password when connecting to its desginated Oracle database. The default for this password is the same as that specified during installation for the Oracle Application Server administrator (ias_admin). Change this default password by using the OID Database Password Utility.

3.3 Task 3: Run the OID Database Statistics Collection Tool

If you load data into the directory by any means other than the bulkload tool (bulkload.sh), then you must run the OID Database Statistics Collection tool, $ORACLE_HOME/ldap/admin/oidstats.sql, after loading. This enables the Oracle Optimizer to choose an optimal plan for executing queries corresponding to LDAP operations. You can run OID Database Statistics Collection tool at any time without shutting down any of the OID daemons.

Note:

To run shell script tools on the Windows operating system, you need one of the following UNIX emulation utilities:

Cygwin 1.3.2.2-1 or later. Visit: http://sources.redhat.com
MKS Toolkit 8.6 or later. Visit: http://www.datafocus.com/

3.4 Tasks to Perform After Upgrading from Release 9.0.2

If you have upgraded Oracle Internet Directory from Release 9.0.2 to Release 10.1.2, perform the following tasks.

3.4.1 Set ACL Policy on Groups Container after Upgrade from Release 9.0.2

When upgrading Oracle Internet Directory from Release 9.0.2 to Release 10.1.2, the following ACL policy needs to be set on the groups container in the realm. The ACL policy should allow members of the group cn=Common Group Attributes,cn=groups,Oracle_Context_DN browse, search, and read access for private and public groups—that is, for groups where orclIsVisible is either not set or is set to TRUE or FALSE. This ACL is described in the Oracle Internet Directory Administrator's Guide, in Chapter 17, in the section "Default Privileges for Reading Common Group Attributes".

The "Common Group Attributes" group is used by OracleAS Portal to query private and public groups. The ACI must to be added on the groups container. Change the Realm DN to the DN of the Realm and the DN of groups container in the realm to the appropriate group search base.

dn: DN of groups container in the realm
changetype: modify 
add: orclaci 
orclaci: access to entry filter=(!(orclisvisible=false)) by group="cn=Common Group Attributes,cn=groups, cn=Oracle Context, Realm DN" (browse) 
orclaci: access to attr=(*) filter=(!(orclisvisible=false)) by group="cn=Common Group Attributes,cn=groups,cn=Oracle Context, Realm DN" (search, read) orclaci: access to entry filter=(orclisvisible=false) by group="cn=Common Group Attributes,cn=groups,cn=Oracle Context, Realm DN" (browse) 
orclaci: access to attr=(*) filter=(orclisvisible=false) by group="cn=Common Group Attributes,cn=groups, cn=Oracle Context, Realm DN" (search, read)

3.5 Determining LDAP Port Assignment on UNIX and Linux

During installation of Oracle Application Server or third-party products, you might be prompted for an Oracle Internet Directory or LDAP port. To find the specific port number assigned to Oracle Internet Directory at installation, see the file $ORACLE_HOME/config/ias.properties. Look for the entries OIDport and OIDsslport.

The default port for enabling LDAP at Oracle Internet Directory installation time is 389. The Oracle Universal Installer always tries that port as its first choice. However, on many UNIX computers, /etc/services includes a line for LDAP reserving port 389. When that line is present, the Installer opts instead for a port number between 3060 to 3129, inclusive.

To confirm the port at which Oracle Internet Directory is running, simply run the ldapbind command-line tool, supplying either the host name and port number specified in the portlist.ini file or an alternative port specified during the Oracle Internet Directory installation.

3.6 Log File Locations

Oracle Internet Directory components output their log and trace information to log files in the ORACLE_HOME environment. Table 3-2 lists each component and the location of its corresponding log file.

Table 3-2 Log File Locations

Component	Log File Name
Bulk Loader (bulkload.sh)	`$ORACLE_HOME/ldap/log/bulkload.log`
Catalog Management Tool (catalog.sh)	`$ORACLE_HOME/ldap/log/catalog.log`
Directory integration agent	`$ORACLE_HOME/ldap/odi/log/AgentName.err` where `AgentName` is the name of the agent
Directory integration server (odisrv)	`$ORACLE_HOME/ldap/log/odisrvXX.log` where `XX` is Oracle directory integration and provisioning server instance number
D irectory replication server (oidrepld)	`$ORACLE_HOME/ldap/log/oidrepld00.log`
Directory server (oidldapd)	`$ORACLE_HOME/ldap/log/oidldapdXXspid`.log where pid is the server process identifier `$ORACLE_HOME/ldap/log/oidstack` `instance_identifier` dispatcher \| server `PID`.log Note: The `oidstack.log` files pertain to SIGSEGV/SIGBUS tracing. Also, empty files of this name are created during directory instance startup, and can be ignored.
LDAP dispatcher (oidldapd)	`$ORACLE_HOME/ldap/log/oidldapdXX.log` where `XX` is the server instance number
OID Monitor (oidmon)	`$ORACLE_HOME/ldap/log/oidmon.log`
OPMN	`$ORACLE_HOME/opmn/logs/opmn.log` `$ORACLE_HOME/opmn/logs/OID` `$ORACLE_HOME/opmn/logs/OIDCTL` Log files for other Oracle Application Server components invoked by OPMN in `$ORACLE_HOME/logs/opmn/`.
R eplication setup (ldaprepl.sh)	`$ORACLE_HOME/ldap/admin/LOGS/ldaprepl.log`